CLick.Giftloader Re-appearing and possible rootkit infection.

[ken545]

Nice job. These Rootkits sometimes bring friends along with them, lets check

First run DDS and post a new log and lets make sure its gone

Then run these in order

Please download ATF Cleaner by Atribune to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.






Please download Malwarebytes from Here or Here

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report please

[super.duper]

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by User at 17:17:05.29 on Tue 04/26/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1247 [GMT -7:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\User\My Documents\Downloads\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page =
mStart Page = hxxp://www.att.net
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
mWinlogon: Userinit=userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {9030d464-4c02-4abf-8ecc-5164760863c6} - Windows Live ID Sign-in Helper
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [Rapportexe] "c:\program files\trusteer\rapport\bin\RapportService.exe" -start -after_boot
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\user\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256651880125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Quick View Plus - ShellExecute Hook: {0cab0400-7395-11d0-a5e5-0020afe2fdd9} - qvphook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\ljvrwzqo.default\
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\microsoft.net\framework\v4.0.20506\wpf\NPWPF.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v4.0.20506\wpf\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ReloadEvery: {888d99e7-e8b5-46a3-851e-1ec45da1e644} - %profile%\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} - %profile%\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-10-27 54752]
R2 NProtectService;Norton Unerase Protection;c:\program files\norton systemworks\norton utilities\NPROTECT.EXE [2009-10-27 135168]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-4-1 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110425.002\naveng.sys [2011-4-25 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110425.002\navex15.sys [2011-4-25 1393144]
R3 qic157;qic157;c:\windows\system32\drivers\qic157.sys [2009-10-26 6016]
S3 clr_optimization_v4.0.20506_32;.NET Runtime Optimization Service v4.0.20506_X86;c:\windows\microsoft.net\framework\v4.0.20506\mscorsvw.exe [2009-5-6 104272]
S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11010.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11010.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
.
=============== Created Last 30 ================
.
2011-04-26 04:41:31 160768 ----a-w- c:\windows\system32\utilman.vir
2011-04-26 01:31:30 -------- d-sha-r- C:\cmdcons
2011-04-26 01:26:00 98816 ----a-w- c:\windows\sed.exe
2011-04-26 01:26:00 89088 ----a-w- c:\windows\MBR.exe
2011-04-26 01:26:00 256512 ----a-w- c:\windows\PEV.exe
2011-04-26 01:26:00 161792 ----a-w- c:\windows\SWREG.exe
2011-04-23 22:01:11 -------- d-----w- c:\program files\Safer Networking
2011-04-22 16:07:24 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Trusteer
2011-04-22 15:58:13 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-22 15:58:13 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-22 04:00:17 -------- d-----w- c:\docume~1\user\applic~1\Trusteer
2011-04-22 04:00:11 -------- d-----w- c:\program files\Trusteer
2011-04-22 03:58:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Trusteer
2011-04-08 17:17:38 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
==================== Find3M ====================
.
2011-04-27 00:17:28 143360 ----a-w- c:\windows\system32\mnmsrvc.vir
2011-04-27 00:17:21 261120 ----a-w- c:\windows\system32\imapi.exe
2011-04-26 23:59:56 146432 ----a-w- c:\windows\system32\rcimlby.exe
2011-04-26 23:59:31 457728 ----a-w- c:\windows\system32\tourstart.exe
2011-04-26 23:59:27 253952 ----a-w- c:\windows\system32\mobsync.exe
2011-04-26 23:59:22 179712 ----a-w- c:\windows\system32\notepad.exe
2011-04-26 23:59:03 499712 ----a-w- c:\windows\system32\cmd.exe
2011-04-26 04:41:31 160768 ----a-w- c:\windows\system32\utilman.exe
2011-04-26 04:41:26 326144 ----a-w- c:\windows\system32\osk.exe
2011-04-26 04:41:20 164352 ----a-w- c:\windows\system32\narrator.exe
2011-04-26 04:41:13 183296 ----a-w- c:\windows\system32\magnify.exe
2011-04-26 01:53:44 400384 ----a-w- c:\windows\system32\vssvc.exe
2011-04-26 01:53:34 129024 ----a-w- c:\windows\system32\ups.exe
2011-04-26 01:53:25 183808 ----a-w- c:\windows\system32\tlntsvr.exe
2011-04-26 01:53:16 200192 ----a-w- c:\windows\system32\smlogsvc.exe
2011-04-26 01:53:03 206336 ----a-w- c:\windows\system32\scardsvr.exe
2011-04-26 01:53:02 185856 ----a-w- c:\windows\system32\locator.exe
2011-04-26 01:52:57 221696 ----a-w- c:\windows\system32\netdde.exe
2011-04-26 01:52:48 116736 ----a-w- c:\windows\system32\msdtc.exe
2011-04-26 01:52:22 143872 ----a-w- c:\windows\system32\clipsrv.exe
2011-04-26 01:52:14 116224 ----a-w- c:\windows\system32\cisvc.exe
2011-04-26 01:52:03 155136 ----a-w- c:\windows\system32\alg.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
============= FINISH: 17:18:25.18 ===============


PS. When making psto adding peas my add body and give it a slightly sweeter flavor. If you buy pre-made pesto such as kirkland for ex. Adding peas is an excellent idea.

[super.duper]

i have these 2 files in my local disk. that i believe may be associated to the problem their each roughly 2million-3 million kb

[super.duper]

i have these 2 files in my local disk. that i believe may be associated to the problem their each roughly 2million-3 million kb

hiberfil.sys
and

pagefile.sys I will not touch them, but do you suggest using file assassin, that comes with malwareBytes? I DID previously try using file shredder with spybot, because at that moment i felt 100% sure they where bad because I have never seen them before. Ill wait for your advice.

Here is my Malware bytes report, i did a full scan, I do hope that is OK with you.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6451

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/26/2011 7:00:36 PM
mbam-log-2011-04-26 (19-00-36).txt

Scan type: Full scan (C:\|)
Objects scanned: 248252
Time elapsed: 58 minute(s), 3 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
c:\WINDOWS\system32\notepad.exe (Trojan.FakeMS) -> 1936 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\notepad.exe (Trojan.FakeMS) -> Delete on reboot.
c:\program files\windows live\messenger\msimg32.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\program files\windows live\messenger\riched20.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\WINDOWS\aputumuf.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\calc.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\utilman.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\utilman.vir (Trojan.FakeMS) -> Quarantined and deleted successfully.



I cleaned the risks and they where deleted.

This a quickscan i ran after i re-booted the system to fix some problems.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6451

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/26/2011 7:20:59 PM
mbam-log-2011-04-26 (19-20-59).txt

Scan type: Quick scan
Objects scanned: 180837
Time elapsed: 8 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[super.duper]

just in case your interested.

My Symantec picks up this on the auto-protect.
Suspicious.MH690

Location is Microsoft outlook.

I am going to run a full scan using this anti-virus however i wont take any action on the files.

sorry the emotes are tempting.

[ken545]

Those files you mentioned are legit windows files so leave them be

You may have a email in Outlook with a bad link or attachment, you may want to open all those folders and delete what you dont need

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Make sure that the option "Remove found threats" is Unchecked
9. Push the Start button.
10. ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
11. When the scan completes, push
12. Push , and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
13. Push the button.
14. Push

Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

[super.duper]

C:\111\D865PERL\LAN_allOS_11.2_PV_TL3_132319_FULL\APPS\ASF\Win32\AGENT\Setup.exe a variant of Win32/Expiro.T virus
C:\111\D865PERL\LAN_allOS_11.2_PV_TL3_132319_FULL\APPS\iSCSI\Win32\iSCSIApp.exe a variant of Win32/Expiro.T virus
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE a variant of Win32/Expiro.T virus
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE a variant of Win32/Expiro.T virus
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch3.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\ljvrwzqo.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\components\red.js JS/Redirector.NBI trojan
C:\Documents and Settings\User\Desktop\iFunBox.exe a variant of Win32/Expiro.T virus
C:\Documents and Settings\User\Desktop\iFunBox.vir a variant of Win32/Expiro.T virus
C:\Documents and Settings\User\Local Settings\Tempwinconfig.vbs VBS/TrojanDownloader.Agent.NDV trojan
C:\Documents and Settings\User\temp\TeamViewer\Version5\install.exe a variant of Win32/Expiro.T virus
C:\Program Files\ABBYY FineReader 6.0 Sprint\Sprint.exe a variant of Win32/Expiro.T virus
C:\Program Files\ABBYY FineReader 6.0 Sprint\TrigrammsInstaller.exe a variant of Win32/Expiro.T virus
C:\Program Files\ABBYY FineReader 6.0 Sprint\Scan\ScanMan6.exe a variant of Win32/Expiro.T virus
C:\Program Files\ABBYY FineReader 6.0 Sprint\Scan\Twain\TWUNK_32.EXE a variant of Win32/Expiro.T virus
C:\Program Files\ABBYY FineReader 6.0 Sprint\Support\Ainfo.exe a variant of Win32/Expiro.T virus
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcrobatInfo.exe a variant of Win32/Expiro.T virus
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe a variant of Win32/Expiro.T virus
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\plug_ins\PaperCapture\Server\Roman\capserve.exe a variant of Win32/Expiro.T virus
C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\Acrobat Elements.exe a variant of Win32/Expiro.T virus
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrodist.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\AEEnable.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\DLSLdr.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\install.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\RemADI.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\RemDev.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\Remove.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\SMAgentI.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\SMAgentX.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\SMax4.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\SMax4Wiz.exe a variant of Win32/Expiro.T virus
C:\Program Files\ArcSoft\Print Creations\PrintCreations.exe a variant of Win32/Expiro.T virus
C:\Program Files\ArcSoft\Print Creations\PrintCreationsCF.exe a variant of Win32/Expiro.T virus
C:\Program Files\ArcSoft\Print Creations\PrintCreationsDL.exe a variant of Win32/Expiro.T virus
C:\Program Files\ArcSoft\Print Creations\PrintCreationsUP.exe a variant of Win32/Expiro.T virus
C:\Program Files\ArcSoft\Print Creations\Help\htmindex.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CAL\CALMAIN.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CAL\CALWLESS.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\CameraLauncher.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\CameraLauncherDVC6.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\CameraWindowCompDVC6.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\CamSetDlg.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\DirectTransfer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\MyCameraDVC6.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowLauncher\CameraLauncher.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\MyCamera\MyCamera.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\MyCameraDC\MyCameraDC.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\RCTask.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPBatch.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPEditor.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPLensViewer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPPrinter.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPRenamer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPStamp.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPTrimmer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPViewer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPWorker.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\PhotoStitch\360View.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\PhotoStitch\stitch.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\PhotoStitch\STLauncher.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\PhotoStitch\STViewer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\ZoomBrowser EX\Program\dbconverter.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\ZoomBrowser EX\Program\ZbScreenSaver.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\ZoomBrowser EX\Program\ZoomBrowser.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\ZoomBrowser EX MCU\MCU.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\ZoomBrowser EX MCU\MCULauncher.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\ZoomBrowser EX MCU\MCULauncher_UL.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Java\Update\Base Images\jdk1.6.0.b105\patch-jdk1.6.0.b105\copier.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Java\Update\Base Images\jdk1.6.0.b105\patch-jdk1.6.0.b105\patchsdk.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Java\Update\Base Images\jdk1.6.0.b105\patch-jdk1.6.0.b105\zipper.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0.b105\patchjre.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0.b105\zipper.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\DJSActiv.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\LOGBOOK.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\LOGGER.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\NMAIN.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\sevinst.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\SYMUNDO.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\LiveReg\IraLrShl.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\LiveReg\VcCleanUp.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe a variant of Win32/Expiro.T virus
C:\Program Files\epson\escndv\escndv.exe a variant of Win32/Expiro.T virus
C:\Program Files\InstallShield Installation Information\{107254A0-0ADF-11D4-9397-00D0B7020B38}\Setup.exe a variant of Win32/Expiro.T virus
C:\Program Files\InstallShield Installation Information\{901DC58A-5C1B-4315-BA40-5AD3D3A463B9}\setup.exe a variant of Win32/Expiro.T virus
C:\Program Files\InstallShield Installation Information\{DBFE5FBD-A7D9-4F74-88A1-2B042722F2DB}\Setup.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel\PerformanceIndex\PerfIndex.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel\StressTest\StressTest.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel\StressTest\UninstallWrap.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\AEEnable.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\RemADI.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SMAXWDM\W2K_XP\install.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SMAXWDM\W2K_XP\Remove.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Comn\Wizards\SMax4Wiz.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Panel\Sys\SMAgent.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Panel\Sys\SMAgentI.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Panel\Sys\SMAgentX.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Panel\Sys\SMax4.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_PNP\Sys\SMax4PNP.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Synth\DLSLdr.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Synth\Sys\RemDev.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\Sys\CleanUp.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\Sys\DSndUp.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\ExtExport.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\iedw.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\Connection Wizard\icwconn2.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\Connection Wizard\icwrmind.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\Connection Wizard\icwtutor.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\Connection Wizard\inetwiz.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\Connection Wizard\isignup.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\appletviewer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\apt.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\extcheck.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\HtmlConverter.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\idlj.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jar.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jarsigner.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\java-rmi.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\java.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\javac.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\javadoc.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\javah.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\javap.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\javaw.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\javaws.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jconsole.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jdb.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jhat.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jinfo.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jmap.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jps.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jrunscript.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jstack.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jstat.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jstatd.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\keytool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\kinit.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\klist.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\ktab.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\native2ascii.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\orbd.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\pack200.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\packager.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\policytool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\rmic.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\rmid.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\rmiregistry.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\schemagen.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\serialver.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\servertool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\tnameserv.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\unpack200.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\wsgen.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\wsimport.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\xjc.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\java-rmi.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\java.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\javacpl.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\javaw.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\javaws.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\jusched.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\keytool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\kinit.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\klist.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\ktab.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\orbd.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\pack200.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\policytool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\rmid.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\rmiregistry.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\servertool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\tnameserv.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\unpack200.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\java-rmi.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\java.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\javacpl.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\javaw.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\javaws.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\jusched.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\keytool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\kinit.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\klist.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\ktab.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\orbd.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\pack200.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\policytool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\rmid.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\rmiregistry.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\servertool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\tnameserv.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\unpack200.exe a variant of Win32/Expiro.T virus
C:\Program Files\Messenger\msmsgs.exe a variant of Win32/Expiro.T virus
C:\Program Files\Microsoft Office\OFFICE11\1033\SCHDPL32.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Movie Maker\moviemk.exe a variant of Win32/Expiro.T virus
C:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe a variant of Win32/Expiro.T virus
C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe a variant of Win32/Expiro.T virus
C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe a variant of Win32/Expiro.T virus
C:\Program Files\MSN Gaming Zone\Windows\zClientm.exe a variant of Win32/Expiro.T virus
C:\Program Files\NetMeeting\conf.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\CKA.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\NSWCfg.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\OBC.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\BACKLOG.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\NORTON.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\REGWDOC.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\SI32.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\SIREGIST.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\UE32.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\WDSCAN.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\WINDOC.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\WIPINFNT.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Process Viewer\PrcView.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Speed Disk\NOPDBInit.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Speed Disk\SDNTC.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Speed Disk\sdntdolu.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Speed Disk\sdntrun.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Speed Disk\SIREGIST.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Speed Disk\SIREGSRV.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Web Cleanup\WCQuick.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Web Cleanup\WCViewer.exe a variant of Win32/Expiro.T virus
C:\Program Files\NovaLogic\Delta Force 2\Df2.exe a variant of Win32/Expiro.T virus
C:\Program Files\NovaLogic\Delta Force 2\Df2med.exe a variant of Win32/Expiro.T virus
C:\Program Files\NovaLogic\Delta Force 2\Nlreg.exe a variant of Win32/Expiro.T virus
C:\Program Files\NovaLogic\Delta Force 2\Pack.exe a variant of Win32/Expiro.T virus
C:\Program Files\NovaLogic\Delta Force 2\Revupdat.exe a variant of Win32/Expiro.T virus
C:\Program Files\NovaLogic\Delta Force 2\Update.exe a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\inst32.exe a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\FILEMGR.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPASC.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPCMP.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPCOM.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPCPD.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPCPY.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPDEL.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPENC.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPEXP.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPFMT.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPLBL.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPLNK.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPMKD.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPMOV.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPNTC.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPPRT.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPREN.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPRUN.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPSYN.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPUDO.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPUUE.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Outlook Express\msimn.exe a variant of Win32/Expiro.T virus
C:\Program Files\Outlook Express\oemig50.exe a variant of Win32/Expiro.T virus
C:\Program Files\Outlook Express\setup50.exe a variant of Win32/Expiro.T virus
C:\Program Files\Outlook Express\wabmig.exe a variant of Win32/Expiro.T virus
C:\Program Files\Quick View Plus\Program\qvp32.exe a variant of Win32/Expiro.T virus
C:\Program Files\Quick View Plus\Program\qvpcomp.exe a variant of Win32/Expiro.T virus
C:\Program Files\Quick View Plus\Support\Quikview.exe a variant of Win32/Expiro.T virus
C:\Program Files\QuickTime\PictureViewer.exe a variant of Win32/Expiro.T virus
C:\Program Files\QuickTime\QTTask.exe a variant of Win32/Expiro.T virus
C:\Program Files\QuickTime\QTSystem\QuickTimeUpdateHelper.exe a variant of Win32/Expiro.T virus
C:\Program Files\Safer Networking\FileAlyzer 2\FileAlyzer2.exe a variant of Win32/Expiro.T virus
C:\Program Files\Spybot - Search & Destroy\SDFiles.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Connect 2\wmccds.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Connect 2\WMCCFG.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\dlimport.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\migrate.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\setup_wm.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmdbexport.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmlaunch.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmpenc.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmplayer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmpnetwk.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmpnscfg.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmpshare.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmsetsdk.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows NT\dialer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows NT\hypertrm.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows NT\Accessories\wordpad.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows NT\Pinball\pinball.exe a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\alg.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\cisvc.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\clipsrv.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\dllhost.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\dmadmin.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\imapi.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\itlnfw32.dll.vir a variant of Win32/Koblu.A trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\locator.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\mnmsrvc.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\msdtc.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\msiexec.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\netdde.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\rsvp.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\scardsvr.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\sessmgr.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\smlogsvc.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\tlntsvr.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\ups.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\vssvc.exe.vir a variant of Win32/Expiro.T virus
C:\WINDOWS\IsUninst.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\uninsqvp.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\winhlp32.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\$hf_mig$\KB2183461-IE8\SP3QFE\ie4uinit.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\$hf_mig$\KB2229593\SP3QFE\helpsvc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\$hf_mig$\KB2347290\SP3QFE\spoolsv.vir a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\accwiz.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\alg.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\charmap.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\cisvc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\cleanmgr.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\clipsrv.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\cmd.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\dllhost.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\dmadmin.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\freecell.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\imapi.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\locator.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\magnify.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\mnmsrvc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\mobsync.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\msdtc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\mshearts.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\msiexec.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\mspaint.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\mstsc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\narrator.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\netdde.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\ntbackup.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\odbcad32.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\osk.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\rcimlby.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\rsvp.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\rundll32.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\scardsvr.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\sessmgr.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\smlogsvc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\sndrec32.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\sndvol32.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\sol.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\spider.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\tlntsvr.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\tourstart.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\ups.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\vssvc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\wiaacmgr.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\winmine.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\wupdmgr.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\Restore\rstrui.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FARNEQA.EXE a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\usmt\migwiz.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\wbem\wmiapsrv.vir a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\twain_32\escndv\escndv.exe a variant of Win32/Expiro.T virus
Operating memory a variant of Win32/Expiro.T virus



=========
Ok, here it is I did not fix any. I just followed the directions. After turning Tea timer back on, it kept asking me about registry changes under the category:" Firewall Authorized Applications" I have neither accepted nor denied the changes.

[ken545]

Well This where were at, read this please
http://www.f-secure.com/v-descs/viru...expiro_a.shtml

What that means is the virus will just keep on infecting .exe files, when you remove what it infected it will just reinfect them again, this virus also may have stolen credit card and banking information, I would urge you to use a known clean computer and change all your passwords for sites you use for shopping and banking, also keep an eye on your statements for any unauthorized charges.

This computer has been compromised, that means it can never be trusted, I feel at this point that the only thing to do is to format and reinstall windows to guarantee and nice clean and safe computer.

If you need help with this let me know and I can link you to a windows forum that can help you

[super.duper]

So what ways can i purge this computer?
I heard something about a boot CD? will that work?
While my OS is legitimate, I obtained it with the OS pre-installed.

Would directly updating windows XP to Windows 7? Clean it?

Does this worm actually obtain infestation that's stored in the system from previous credit card purchases etc? Does it pretty much have everything?

What would you recommend on cleaning it?

Thank You Very Much for your help.

[super.duper]

and if you could please link me the forum on doing this reformatting/re-installing.